Best practices for compliance during a merger

Company mergers involve more than just aligning two different security infrastructures. When one vendor acquires another, it's the handling of compliance issues that can be an IT security staff's toughest task. In this tip, security expert Joel Dubin offers a primer for merging companies that may be in different stages of the compliance process.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

logical for the business, but trying to knit together two disparate systems can be a nightmare for its IT staff. In particular, for the IT security team, which is typically responsible for any compliance problems.

If assembling two IT security infrastructures seems daunting, imagine putting together two companies at different stages of the compliance process. Thankfully, it may not be as bad as it seems. The two key factors determining the difficulty of meshing compliance efforts are the industries of the partners, and the specifics of the particular compliance provisions they must meet. Creating a unified compliance team, consisting of compliance staff from both companies, is an effective way to ease the process.

Obviously, mergers aside, there is often overlap even for individual companies. A bank issuing credit cards might have to meet SOX, GLB and the PCI Data Security Standard. A large health care company, if publicly traded or part of a financial group, might be required to meet SOX standards, in addition to its usual HIPAA requirements.

Regulation-specific issuesIn regard to each of the commonly applicable regulations mentioned above, the most critical issues to consider are access management, information security policies, protection of customer data and monitoring and testing.

SOX Section 404 is the provision affecting IT security. This section calls for controls on IT systems that access sensitive customer and financial data. It's vague about how to implement those controls, but it basically looks for documentation covering access management, encryption, firewalls and malware protection. In addition, a solid information security policy outlining implementation of these items must be in place.

From a merger perspective, SOX auditors and regulators will look for reports on access management controls. Before the auditors arrive though, there are some key questions security pros should ask to ensure both companies are on a level playing field: What types of access management systems do the two companies use? Are they both on Active Directory, or is one using LDAP while the other uses something else? What's the current state of audits of accounts at both companies?

GLBA has similar provisions to SOX, but it's more focused on protecting customer data rather than access management. GLBA calls for encryption of confidential data, use of strong passwords for accessing systems, limiting employee access to customer data and physical security for customer records. As with SOX, in a merger situation, the security teams should compare each company's encryption methods, customer data-handling procedures and overall adherence to their respective information security policies. Policies and procedures will need to be adjusted to common standards for both companies. Also, as with SOX, all of this needs to be documented for regulators.

HIPAA governs protection of patient information for companies in the medical industry. The focus here, like with GLBA, is protecting customer -- in this case, patient -- information. In a merger, the two companies have to compare notes about their controls over customer information, and then produce common documentation for regulators.

SOX, GLB and HIPAA are all government regulations backed by law. PCI, on the other hand, is an industry standard backed by a consortium of the five largest credit card companies: Visa, MasterCard, Discover, American Express and JCB. PCI is a comprehensive standard with 12 requirements covering protection of customer data, encryption, network security and firewalls, access management controls, information security policies and monitoring and testing of network security. It covers multiple areas where security practices may differ, resulting in a headache for merging companies.

All about data and accessEven though all of the regulations are targeted at the same basic items -- access controls, protection of customer data and monitoring network security – be sure to observe the specific requirements of each. The regulations similar mandates don't mean that compliance with one will translate into compliance with another.

In an effort to make the entire process easier, newly acquired companies must create a compliance point person for the melded organization. That person should come from one of the two merger partners, and be able to work directly with compliance people from both organizations to achieve compliance harmony.

About the authorJoel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy